<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<meta name="theme-color" content="#222"><meta name="generator" content="Hexo 6.2.0">

  <link rel="apple-touch-icon" sizes="180x180" href="/images/favicon.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon.png">
  <link rel="mask-icon" href="/images/favicon.png" color="#222">

<link rel="stylesheet" href="/css/main.css">



<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.2.1/css/all.min.css" integrity="sha256-Z1K5uhUaJXA7Ll0XrZ/0JhX4lAtZFpT6jkKrEDT0drU=" crossorigin="anonymous">
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">

<script class="next-config" data-name="main" type="application/json">{"hostname":"it-liupp.gitee.io","root":"/","images":"/images","scheme":"Gemini","darkmode":false,"version":"8.14.1","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12},"copycode":{"enable":false,"style":null},"bookmark":{"enable":true,"color":"#222","save":"auto"},"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"stickytabs":false,"motion":{"enable":true,"async":false,"transition":{"menu_item":"fadeInDown","post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"prism":false,"i18n":{"placeholder":"搜索...","empty":"没有找到任何搜索结果：${query}","hits_time":"找到 ${hits} 个搜索结果（用时 ${time} 毫秒）","hits":"找到 ${hits} 个搜索结果"}}</script><script src="/js/config.js"></script>

    <meta property="og:type" content="article">
<meta property="og:title" content="Openeuler系统Bioset病毒处理和系统加固">
<meta property="og:url" content="https://it-liupp.gitee.io/2022/12/13/openeuler-bioset/index.html">
<meta property="og:site_name" content="Hello Mr Liu">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://it-liupp.gitee.io/images/openeuler-bioset/image-20231221174946277.png">
<meta property="og:image" content="https://it-liupp.gitee.io/images/image-20221213172139594.png">
<meta property="og:image" content="https://it-liupp.gitee.io/images/image-20221213172240825.png">
<meta property="og:image" content="https://it-liupp.gitee.io/images/image-20221213172530219.png">
<meta property="og:image" content="https://it-liupp.gitee.io/images/image-20221213173557602.png">
<meta property="og:image" content="https://it-liupp.gitee.io/images/image-20221213173648699.png">
<meta property="og:image" content="https://it-liupp.gitee.io/images/image-20221213174048033.png">
<meta property="og:image" content="https://it-liupp.gitee.io/images/image-20221213174328168.png">
<meta property="og:image" content="https://it-liupp.gitee.io/images/image-20221214093759495.png">
<meta property="og:image" content="https://it-liupp.gitee.io/images/image-20221214094054659.png">
<meta property="og:image" content="https://it-liupp.gitee.io/images/image-20221214100440974.png">
<meta property="article:published_time" content="2022-12-13T09:06:26.000Z">
<meta property="article:modified_time" content="2024-01-23T03:36:31.122Z">
<meta property="article:author" content="Mr Liu">
<meta property="article:tag" content="操作系统">
<meta property="article:tag" content="Linux">
<meta property="article:tag" content="OpenEuler">
<meta property="article:tag" content="Bioset">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://it-liupp.gitee.io/images/openeuler-bioset/image-20231221174946277.png">


<link rel="canonical" href="https://it-liupp.gitee.io/2022/12/13/openeuler-bioset/">



<script class="next-config" data-name="page" type="application/json">{"sidebar":"","isHome":false,"isPost":true,"lang":"zh-CN","comments":true,"permalink":"https://it-liupp.gitee.io/2022/12/13/openeuler-bioset/","path":"2022/12/13/openeuler-bioset/","title":"Openeuler系统Bioset病毒处理和系统加固"}</script>

<script class="next-config" data-name="calendar" type="application/json">""</script>
<title>Openeuler系统Bioset病毒处理和系统加固 | Hello Mr Liu</title>
  






  <script async defer data-website-id="" src=""></script>

  <script defer data-domain="" src=""></script>

  <noscript>
    <link rel="stylesheet" href="/css/noscript.css">
  </noscript>
</head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <div class="column">
      <header class="header" itemscope itemtype="http://schema.org/WPHeader"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏" role="button">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <i class="logo-line"></i>
      <p class="site-title">Hello Mr Liu</p>
      <i class="logo-line"></i>
    </a>
      <p class="site-subtitle" itemprop="description">临江对月</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger" aria-label="搜索" role="button">
    </div>
  </div>
</div>



<nav class="site-nav">
  <ul class="main-menu menu"><li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a></li><li class="menu-item menu-item-about"><a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a></li><li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a></li><li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a></li><li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a></li>
  </ul>
</nav>




</header>
        
  
  <aside class="sidebar">

    <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
      <ul class="sidebar-nav">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <div class="sidebar-panel-container">
        <!--noindex-->
        <div class="post-toc-wrap sidebar-panel">
            <div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%B3%BB%E7%BB%9F%E7%8E%AF%E5%A2%83"><span class="nav-number">1.</span> <span class="nav-text">系统环境</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%97%AE%E9%A2%98%E5%8F%91%E7%8E%B0"><span class="nav-number">2.</span> <span class="nav-text">问题发现</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%97%AE%E9%A2%98%E6%8E%92%E6%9F%A5"><span class="nav-number">3.</span> <span class="nav-text">问题排查</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%B3%BB%E7%BB%9F%E5%8A%A0%E5%9B%BA"><span class="nav-number">4.</span> <span class="nav-text">系统加固</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E4%BF%AE%E6%94%B9%E5%AF%86%E7%A0%81"><span class="nav-number">4.1.</span> <span class="nav-text">修改密码</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E4%BF%AE%E6%94%B9ssh%E9%85%8D%E7%BD%AE"><span class="nav-number">4.2.</span> <span class="nav-text">修改ssh配置</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E9%99%90%E5%AE%9AIP%E8%AE%BF%E9%97%AE%E8%AE%BF%E9%97%AE%E8%8C%83%E5%9B%B4"><span class="nav-number">4.3.</span> <span class="nav-text">限定IP访问访问范围</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%85%B6%E4%BB%96%E9%97%AE%E9%A2%98"><span class="nav-number">4.4.</span> <span class="nav-text">其他问题</span></a></li></ol></li></ol></div>
        </div>
        <!--/noindex-->

        <div class="site-overview-wrap sidebar-panel">
          <div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Mr Liu"
      src="/images/avatar.jpg">
  <p class="site-author-name" itemprop="name">Mr Liu</p>
  <div class="site-description" itemprop="description">和意识先进的人在一起你才能转变意识，和心态积极的人在一起，你才能够积极，靠自己改变很难，一个人拽着自己的头发是很难把自己拎起来的。</div>
</div>
<div class="site-state-wrap animated">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
        <a href="/archives/">
          <span class="site-state-item-count">24</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
          <a href="/categories/">
        <span class="site-state-item-count">18</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
          <a href="/tags/">
        <span class="site-state-item-count">32</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="cc-license animated" itemprop="license">
    <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" class="cc-opacity" rel="noopener" target="_blank"><img src="https://cdnjs.cloudflare.com/ajax/libs/creativecommons-vocabulary/2020.11.3/assets/license_badges/big/by_nc_sa.svg" alt="Creative Commons"></a>
  </div>

        </div>
      </div>
    </div>

    
  </aside>


    </div>

    <div class="main-inner post posts-expand">


  


<div class="post-block">
  
  

  <article itemscope itemtype="http://schema.org/Article" class="post-content" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://it-liupp.gitee.io/2022/12/13/openeuler-bioset/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.jpg">
      <meta itemprop="name" content="Mr Liu">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Hello Mr Liu">
      <meta itemprop="description" content="和意识先进的人在一起你才能转变意识，和心态积极的人在一起，你才能够积极，靠自己改变很难，一个人拽着自己的头发是很难把自己拎起来的。">
    </span>

    <span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
      <meta itemprop="name" content="Openeuler系统Bioset病毒处理和系统加固 | Hello Mr Liu">
      <meta itemprop="description" content="">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          Openeuler系统Bioset病毒处理和系统加固
        </h1>

        <div class="post-meta-container">
          <div class="post-meta">
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar"></i>
      </span>
      <span class="post-meta-item-text">发表于</span>

      <time title="创建时间：2022-12-13 17:06:26" itemprop="dateCreated datePublished" datetime="2022-12-13T17:06:26+08:00">2022-12-13</time>
    </span>
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar-check"></i>
      </span>
      <span class="post-meta-item-text">更新于</span>
      <time title="修改时间：2024-01-23 11:36:31" itemprop="dateModified" datetime="2024-01-23T11:36:31+08:00">2024-01-23</time>
    </span>
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-folder"></i>
      </span>
      <span class="post-meta-item-text">分类于</span>
        <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
          <a href="/categories/%E6%93%8D%E4%BD%9C%E7%B3%BB%E7%BB%9F/" itemprop="url" rel="index"><span itemprop="name">操作系统</span></a>
        </span>
          ，
        <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
          <a href="/categories/%E6%93%8D%E4%BD%9C%E7%B3%BB%E7%BB%9F/%E8%BD%AF%E4%BB%B6%E5%AE%89%E8%A3%85/" itemprop="url" rel="index"><span itemprop="name">软件安装</span></a>
        </span>
          ，
        <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
          <a href="/categories/%E6%93%8D%E4%BD%9C%E7%B3%BB%E7%BB%9F/%E8%BD%AF%E4%BB%B6%E5%AE%89%E8%A3%85/%E7%B3%BB%E7%BB%9F%E5%8A%A0%E5%9B%BA/" itemprop="url" rel="index"><span itemprop="name">系统加固</span></a>
        </span>
    </span>

  
    <span class="post-meta-break"></span>
    <span class="post-meta-item" title="本文字数">
      <span class="post-meta-item-icon">
        <i class="far fa-file-word"></i>
      </span>
      <span class="post-meta-item-text">本文字数：</span>
      <span>2.1k</span>
    </span>
    <span class="post-meta-item" title="阅读时长">
      <span class="post-meta-item-icon">
        <i class="far fa-clock"></i>
      </span>
      <span class="post-meta-item-text">阅读时长 &asymp;</span>
      <span>8 分钟</span>
    </span>
</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">
        <p><img src="/../images/openeuler-bioset/image-20231221174946277.png" alt="image-20231221174946277"></p>
<span id="more"></span>

<h2 id="系统环境"><a href="#系统环境" class="headerlink" title="系统环境"></a>系统环境</h2><blockquote>
<p>操作系统：OpenEuler22.03 LTS</p>
<p>服务器数量：N台</p>
<p>应用软件：wgcloud3.4.2（server+N个Agent）</p>
</blockquote>
<h2 id="问题发现"><a href="#问题发现" class="headerlink" title="问题发现"></a>问题发现</h2><p>​	公司内网的服务器状态监控一直是采用的wgcloud监控软件，偶然一天突然发现安装有agent的服务器不停地提示下线，但是远程过去后发现服务器并没有真正下线，期间公司运维主管人员反馈私有云监控平台发现其中两台机器的CPU和内存使用率不正常、较高，但通过ssh登录这两台机器后使用top命令发现使用率并不高，所以并没有理会。其中有几台服务器为开发测试机器，但是因为利用率不高，所以当时并未接到开发人员反馈问题。</p>
<p>​	回过头来处理agent服务器掉线的问题，此时ssh登录agent服务器，想重启agent监控端应用，但提示发现无法启动，通过ll命令看到文件属性发生了变化：</p>
<p><img src="/../images/image-20221213172139594.png" alt="可执行文件属性被纂改"></p>
<p>​	上图可以看出该执行文件的属性没有，此时想删除和重启都无法执行：</p>
<p><img src="/../images/image-20221213172240825.png" alt="可行文件无法执行"></p>
<p>​	通过报错关键字度娘得知，文件可能变成不可读不可写状态，通过lsattr和chattr结合chmod + x命令重新给该执行文件增加了可执行权限：</p>
<p><img src="/../images/image-20221213172530219.png" alt="修复文件属性"></p>
<p>​	此时，可以正常执行了，但是仅过了一会，该文件状态又变回了不可读状态，通过top命令也没有发现异常进程。与wgcloud作者讨论了半天也没有讨论出个结果。</p>
<p>​	去看看其他agent服务器吧，看了以后才发现，之前看的服务器症状都是轻的：</p>
<blockquote>
<p>❗ 症状摸排：</p>
<ol>
<li>大部分主机出现N多ssh暴力尝试登录的记录（命令：lastb | less）；</li>
<li>部分主机出现自行进入紧急模式（Emergency mode），但输入密码，仍可执行部分命令；</li>
<li>部分主机出现ssh登录后，部分系统命令无法执行，提示not found，如ls等基础命令；</li>
<li>经抽样调查发现部分系统内应用执行文件也变成了不可读写状态，如docker相关执行文件；</li>
<li>部分主机上应用还在正常运行，现在不敢重启，怕重启后就启动不了了…</li>
</ol>
</blockquote>
<p>​	部分图如下所示：</p>
<p><img src="/../images/image-20221213173557602.png" alt="ssh匿名尝试登录部分数据"></p>
<p><img src="/../images/image-20221213173648699.png" alt="后台服务报错，提示需要进入紧急模式..."></p>
<h2 id="问题排查"><a href="#问题排查" class="headerlink" title="问题排查"></a>问题排查</h2><p>​	找一个linux水平比较高的哥们，希望帮忙分析一下问题，按他的要求提供了内核日志（dmesg）,他看了以后甩给我一个链接：<a target="_blank" rel="noopener" href="https://www.cnblogs.com/shenyuanfeng/p/16031414.html">https://www.cnblogs.com/shenyuanfeng/p/16031414.html</a> ，反馈给我说可能是bioset病毒，但是还不确定。此时我去翻看dmesg日志文件，在日志中看到了相关关键字：</p>
<p><img src="/../images/image-20221213174048033.png" alt="dmesg日志的bioset关键字"></p>
<p>​	我在度娘上找到了另一篇文章：<a target="_blank" rel="noopener" href="https://blog.csdn.net/weixin_45602663/article/details/123636623">(33条消息) linux 云服务器被暴破感染bioset_我啥都不会iii的博客-CSDN博客_bioset</a>  采用文中的方法，使用busybox工具终于看到了bioset病毒进程：</p>
<p><img src="/../images/image-20221213174328168.png" alt="busybox追查元凶"></p>
<p>​	此时kill是无法结束的，他会自启，根本无法杀掉该进程。文中提供了杀死该进程的方法，这里不再赘述了，总结一下：</p>
<pre class="line-numbers language-bash" data-language="bash"><code class="language-bash"><span class="token comment"># 安装busybox</span>
<span class="token function">wget</span> https://busybox.net/downloads/binaries/1.21.1/busybox-x86_64 --no-check-certificate
<span class="token function">chmod</span> +x busybox-x86_64
<span class="token function">mv</span> busybox-x86_64 /usr/local/bin/busybox
<span class="token comment"># busybox top 见上图</span>
<span class="token comment"># kill病毒文件</span>
busybox chattr -i /usr/bin/bioset <span class="token operator">&amp;&amp;</span> busybox <span class="token function">rm</span> -rf /usr/bin/bioset
<span class="token comment"># 删掉病毒进程，1247为上图的PID</span>
<span class="token function">kill</span> -9 <span class="token number">1247</span>
<span class="token comment"># 此时病毒文件被删除了，此时busybox top再也不看到病毒进程了，也不会再自启了.....</span><span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre>

<blockquote>
<p>✅ 其他服务器的处理：</p>
<p>删除病毒文件只能达到防止系统被进一步破坏，并不能起到彻底解决的作用。涉及的系统有OpenEuler和Centos系统。	</p>
<p>病毒非常狡猾拦截篡改了系统动态库，导致我们使用top，ps等命令是查看不到病毒的进程的，这时就需要使用busybox工具协助我们排除。不过由于被篡改的文件较多，所以最后只能选择重装系统</p>
</blockquote>
<h2 id="系统加固"><a href="#系统加固" class="headerlink" title="系统加固"></a>系统加固</h2><p>​	通过这次事件，给了一个沉重的教训，针对该问题对系统加固有如下思考：</p>
<blockquote>
<p>❗ 加固思考：</p>
<p>1.增加登录密码的复杂度（中毒的机器密码都是“1234qwer”）；<br>2.修改ssh默认端口号；<br>3.尽可能使用普通用户，关闭root的ssh登录；<br>4.如果服务器只与部分机器互通，可限定可访问该服务器的IP范围；</p>
</blockquote>
<h3 id="修改密码"><a href="#修改密码" class="headerlink" title="修改密码"></a>修改密码</h3><blockquote>
<p>可通过passwd命令来修改当前用户的密码，建议密码组成尽可能复杂，降低被破解的概率，大小写字母、数字、特殊符号，建议至少三种组合，密码长度&gt;&#x3D;8.</p>
</blockquote>
<h3 id="修改ssh配置"><a href="#修改ssh配置" class="headerlink" title="修改ssh配置"></a>修改ssh配置</h3><blockquote>
<p>​	通过修改ssh配置，变更ssh的默认端口号，关闭root的ssh登录权限，常规操作建议通过普通用户操作，需要操作系统命令的，普通用户可以通过命令前增加sudo来执行。</p>
<p>​	！需要注意的是，修改ssh配置，需要保证selinux在disable或者permissive状态，否则修改后无法生效。</p>
</blockquote>
<p>查询selinux状态：</p>
<pre class="line-numbers language-bash" data-language="bash"><code class="language-bash"><span class="token comment"># 查询selinux当前状态</span>
sestatus<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span></span></code></pre>

<p>输出结果如下：</p>
<pre class="line-numbers language-bash" data-language="bash"><code class="language-bash"><span class="token comment"># SELinux启用状态(建议启用)</span>
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
<span class="token comment">#SElinux当前模式</span>
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      <span class="token number">31</span><span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre>

<p>修改ssh配置命令如下:</p>
<pre class="line-numbers language-bash" data-language="bash"><code class="language-bash"><span class="token comment"># 修改ssh需要root权限,请确保使用root用户或在命令前增加sudo指令</span>
<span class="token function">vi</span> /etc/ssh/sshd_config

<span class="token comment"># 修改其中的 Port 22段，移除Port 22前面的#，修改22为其他端口</span>
<span class="token comment"># 为防止修改后无法ssh登录，可以在移除Port 22前面的#号后，换行增加一行Port 端口</span>
<span class="token comment"># 修改完毕后，确认新端口可以正常ssh登录以后，再移除Port 22行</span>
<span class="token comment"># 修改PermitRootLogin yes为no，该行代表是否允许root用户ssh登录。</span>
<span class="token comment"># 确认修改完毕后按下ESC键，输入:wq保存退出</span>

<span class="token comment">#	重启ssh服务</span>
systemctl restart sshd
<span class="token comment"># 查看ssh服务状态</span>
systemctl status sshd<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre>

<p>相关配图如下：</p>
<p><img src="/../images/image-20221214093759495.png" alt="ssh配置文件"></p>
<p><img src="/../images/image-20221214094054659.png" alt="命令执行"></p>
<h3 id="限定IP访问访问范围"><a href="#限定IP访问访问范围" class="headerlink" title="限定IP访问访问范围"></a>限定IP访问访问范围</h3><p>​	特定应用部署的机器通过防火墙来限定能访问该机器指定端口的IP，可以降低被攻击的风险。举个例子，如果该服务器为Oracle数据库服务器，正常情况下，该服务器只接受应用服务器通过1521端口来访问该服务器。其他IP的访问都可以被拒绝。</p>
<p>​	具体操作如下：</p>
<pre class="line-numbers language-bash" data-language="bash"><code class="language-bash"><span class="token comment"># OpenEuler系统使用的是Firewalld防火墙，我们以此举例</span>

<span class="token comment"># 1.前提：确保firewalld服务正常运行</span>

<span class="token comment"># 查看防火墙状态</span>
systemctl status firewalld
<span class="token comment"># 开启防火墙</span>
systemctl start firewalld
<span class="token comment"># 开机启动</span>
systemctl <span class="token builtin class-name">enable</span> firewalld

<span class="token comment"># 2.关闭允许公开访问的端口</span>
<span class="token comment"># 查询打开的端口</span>
firewall-cmd --zone<span class="token operator">=</span>public --list-ports
<span class="token comment"># 如果输出结果为空，则跳过下面的关闭步骤</span>

<span class="token comment"># 关闭端口9001(这里是举例，端口号请修改为需要关闭的端口号)</span>
firewall-cmd --zone<span class="token operator">=</span>public --remove-port<span class="token operator">=</span><span class="token number">9001</span>/tcp --permanent
<span class="token comment"># 重新载入一下防火墙设置，使设置生效</span>
firewall-cmd --reload

<span class="token comment"># 3.加入限制访问规则</span>
<span class="token comment"># 允许ip192.168.1.68访问本机的1521端口</span>
<span class="token comment"># 如果允许多个IP访问，可以分次执行该命令</span>
<span class="token comment"># 添加指定IP段，可以将命令的IP地址修改为“192.168.1.1/24”,请根据实际情况调整。</span>
firewall-cmd --permanent --add-rich-rule<span class="token operator">=</span><span class="token string">"rule family="</span>ipv4<span class="token string">" source address="</span><span class="token number">192.168</span>.1.68<span class="token string">" port protocol="</span>tcp<span class="token string">" port="</span><span class="token number">1521</span><span class="token string">" accept"</span>
<span class="token comment"># 重新载入一下防火墙设置，使设置生效</span>
firewall-cmd --reload
<span class="token comment"># 查看已设置规则</span>
firewall-cmd --zone<span class="token operator">=</span>public --list-rich-rules<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre>

<p>可参考资料：<a target="_blank" rel="noopener" href="https://blog.csdn.net/haoqi9999/article/details/125988881">Linux防火墙firewall只允许特定IP访问</a></p>
<h3 id="其他问题"><a href="#其他问题" class="headerlink" title="其他问题"></a>其他问题</h3><p>Q1.普通用户执行sudo命令提示不在sudoer范围内。</p>
<p>A1:修改”&#x2F;etc&#x2F;sudoers”配置文件，增加普通用户的sudo权限.</p>
<p><img src="/../images/image-20221214100440974.png" alt="sudoers配置修改"></p>
<p>其中devtool用户为普通用户，如果有其他用户，复制行，将用户名修改为指定用户名即可，保存后即时生效。</p>

    </div>

    
    
    

    <footer class="post-footer">
          <div class="reward-container">
  <div>☕请作者喝杯咖啡☕</div>
  <button>
    赞赏
  </button>
  <div class="post-reward">
      <div>
        <img src="/images/wechatpay.jpg" alt="Mr Liu 微信">
        <span>微信</span>
      </div>
      <div>
        <img src="/images/alipay.jpg" alt="Mr Liu 支付宝">
        <span>支付宝</span>
      </div>

  </div>
</div>

          

<div class="post-copyright">
<ul>
  <li class="post-copyright-author">
      <strong>本文作者： </strong>Mr Liu
  </li>
  <li class="post-copyright-link">
      <strong>本文链接：</strong>
      <a href="https://it-liupp.gitee.io/2022/12/13/openeuler-bioset/" title="Openeuler系统Bioset病毒处理和系统加固">https://it-liupp.gitee.io/2022/12/13/openeuler-bioset/</a>
  </li>
  <li class="post-copyright-license">
    <strong>版权声明： </strong>本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" rel="noopener" target="_blank"><i class="fab fa-fw fa-creative-commons"></i>BY-NC-SA</a> 许可协议。转载请注明出处！
  </li>
</ul>
</div>

          <div class="post-tags">
              <a href="/tags/%E6%93%8D%E4%BD%9C%E7%B3%BB%E7%BB%9F/" rel="tag"># 操作系统</a>
              <a href="/tags/Linux/" rel="tag"># Linux</a>
              <a href="/tags/OpenEuler/" rel="tag"># OpenEuler</a>
              <a href="/tags/Bioset/" rel="tag"># Bioset</a>
          </div>

        

          <div class="post-nav">
            <div class="post-nav-item">
                <a href="/2022/07/30/openeuler-install-sonatypenexus/" rel="prev" title="OpenEuler安装Sonatype Nexus（Maven私服）">
                  <i class="fa fa-chevron-left"></i> OpenEuler安装Sonatype Nexus（Maven私服）
                </a>
            </div>
            <div class="post-nav-item">
                <a href="/2022/12/14/openeuler-install-redis/" rel="next" title="OpenEuler系统源码编译安装redis">
                  OpenEuler系统源码编译安装redis <i class="fa fa-chevron-right"></i>
                </a>
            </div>
          </div>
    </footer>
  </article>
</div>






</div>
  </main>

  <footer class="footer">
    <div class="footer-inner">


<div class="copyright">
  &copy; 
  <span itemprop="copyrightYear">2024</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Mr Liu</span>
</div>
<div class="wordcount">
  <span class="post-meta-item">
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-line"></i>
    </span>
      <span>站点总字数：</span>
    <span title="站点总字数">42k</span>
  </span>
  <span class="post-meta-item">
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
      <span>站点阅读时长 &asymp;</span>
    <span title="站点阅读时长">2:32</span>
  </span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/" rel="noopener" target="_blank">NexT.Gemini</a> 强力驱动
  </div>

    </div>
  </footer>

  
  <div class="back-to-top" role="button" aria-label="返回顶部">
    <i class="fa fa-arrow-up fa-lg"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>
  <a role="button" class="book-mark-link book-mark-link-fixed"></a>

<noscript>
  <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>


  
  <script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.1/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous"></script>
<script src="/js/comments.js"></script><script src="/js/utils.js"></script><script src="/js/motion.js"></script><script src="/js/next-boot.js"></script><script src="/js/bookmark.js"></script>

  




  





</body>
</html>
